[PATCH] Change winbindd to use the auth subsystem (use winbindd in AD DC)
abartlet at samba.org
Thu Mar 27 20:47:33 MDT 2014
On Thu, 2014-03-27 at 09:59 +0100, Volker Lendecke wrote:
> On Thu, Mar 27, 2014 at 09:11:45PM +1300, Andrew Bartlett wrote:
> > > Can you describe to me again what auth_samba4 provides that
> > > can not be provided by winbind going over a local NETLOGON
> > > pipe? This IMHO would be a much cleaner separation of code.
> > This keeps the current behaviour, which is to handle this in-process.
> Yes, I know. But as you know I never agreed with this
> design. I would like to discuss again to change it to use
> the NETLOGON pipe. For trusted domains we have to do it
I would like that as well. Even without trusted domains, we need this
because the RODC has to be able to forward authentication on to a full
DC. Even on the full DC we really should re-try failed authentications
with the PDC, in case the password changed.
Perhaps you could help by making that work for the classic DC case, and
then get back to me? It is there that I suspect we will have the more
major issues, such as those that the extra flags added are for (avoiding
looping auth and skipping PAM handling). The most difficult issue (due
to upgrades) will be the need for a self-join trust account.
Once all that is sorted out, having the AD DC mode follow suit doesn't
seem particularly impractical.
In the meantime, this patch resolves an existing issue that despite what
the administrator sets in 'auth methods', that auth_sam is always used
by winbindd. That it helps bootstrap the AD DC using winbindd effort is
of course also very helpful.
The use of winbindd in the AD DC isn't going to happen overnight, I'll
post an updated patch series, and get into master what of that is
reasonable. The rest we can continue to discuss until while we work on
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical